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DIGITAL CREDENTIAL MONITORING 



5 BACKGROUND OF THE INVENTION 



As the popularity of the internet has grown so has the number of internet 
services available on the internet, both at the business to consumer and 
business to business level. 

However, an issue of concern to both consumers and businesses with respect 
to the provision of e-commerce and associated services is that of security and 
trust. 



1 5 To help address this issue secure web protocols have been developed, for 
example the secure sockets layer (SSL) protocol. The security provisions 
provided by SSL include server authentication, client authentication, data 
integrity and confidentiality. 

20 Authentication is provided by the exchange of digital certificates between the 
two users establishing a secure connection over the internet. The exchange of 
the digital certificates is an important process in the establishing of security 
and trust between two parties interacting on the internet. This is particularly so 
when the parties have never had any previous business interaction. 

25 

To provide confidence in the authentication process the digital identity 
certificates are issued by a trusted third party, for example Certification 
Authorities CA, who is responsible for managing the digital identity certificates 
life cycle. 
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The trusted third party monitors the status of a digital certificate. For example, 
the X.509 public key infrastructure (PKI) provides a check for the validity of 
X.509 certificates. This check, however, has to be done off-line. Therefore, a 
change in status of a digital certificate can not be monitored in real-time. 

5 

Current CA certificate management systems do not manage the real time 
"usage" of certificates at the application/service level, during active sessions 
within an enterprise. They are trust services external to the enterprise. They 
do not provide functionalities to an administrator to monitor the 
10 trustworthiness of digital credentials involved in active business transactions 
and tools to visualise aggregations of these certificates across multiple user 
web sessions 

It is desirable to improve this situation. 

15 

SUMMARY OF THE INVENTION 

In accordance with one aspect of the present invention there is provided a 
computer system comprising a first computer node coupled to a network, the 
20 first node being arranged to provide a service to a second computer node via 
a connection over the network; a controller for determining access to the 
service based upon a digital credential associated with the connection, the 
controller being arranged to vary access to the service over the connection in 
response to a change in status of the digital credential. 

25 

This provides the advantage of determining access to a service in 'real-time', 
thereby allowing a service level to be varied during a connection. 



30 



The term digital credential can include, identity certificate, attribute credential 
and anonymous credential. 
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Identity certificates are a collection of verifiable data containing information 
about the identity of entities, for example people, systems and applications. 
X.509 identity certificates are currently the most popular certificates used on 
the internet. An X.509 identity certificate binds a name to a public key. 

5 

Attribute credentials are a collection of verifiable attributes and properties 
associated to people, systems, applications and services. 

Anonymous credentials contain attributes that are not associated to any 
1 0 identity credential, for example, electronic cash. 

Therefore, users can analyse credentials to make decisions about the 
trustworthiness of the owners of the credentials. 

1 5 Preferably the digital credential is an attribute credential of an entity 
associated with the second computer node. 

Preferably the first computer node is arranged to provide the service to a 
plurality of computer nodes via a plurality of respective connections over the 
20 network. 

Suitably the controller is suitable for arranging digital credentials into groups, 
the groups being associated with a respective secure connection to allow a 
user to monitor the status of the digital credentials associated with a secure 
25 connection. 

Preferably the computer system further comprising a digital register for listing 
the status of digital credentials; monitoring means for monitoring the digital 
register for changes in the status of a digital certificate, wherein the controller 
30 is responsive to the monitoring means for varying access to the service in 
response to a change in status of the digital credential. 
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In accordance with a second aspect of the present invention there is provided 
a computer node for providing a service to a second computer node via a 
connection over a network, the computer node comprising a controller for 
determining access to the service based upon a digital credential associated 
5 with the connection, the controller being arranged to vary access to the 
service over the connection in response to a change in status of the digital 
credential. 

In accordance with a third aspect of the present invention there is provided a 
1 0 controller for determining access to a service provided by a first computer 
node to a second computer node via a connection over a network, the 
controller being arranged to vary access to the service over the connection in 
response to a change in status of a digital credential associated with the 
connection. 

15 

In accordance with a fourth aspect of the present invention there is provided a 
method for providing a service, the method comprising establishing a 
connection between a first computer node and a second computer node via a 
network; providing a service for the second computer node from the first 
20 computer node via the connection; determining access to the service based 
upon a digital credential associated with the connection; varying access to the 
service over the connection in response to a change in status of the digital 
credential. 

25 In accordance with a fifth aspect of the present invention there is provided a 
computer system comprising a first computer node coupled to a network, the 
first node being arranged to provide a service to a second computer node via 
a connection over the network; a controller for determining access to the 
service based upon a digital credential associated with the connection, the 

30 first node having memory for storing the digital credential associated with the 
connection and a display for presenting to a user information associated with 
the digital credential. 
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Preferably, the first node further comprises a controller for arranging digital 
credentials into groups, the groups being associated with a respective 
connection to allow a user to monitor digital credentials associated with a 
5 connection. 

BRIEF DESCRIPTION OF THE PREFERRED EMBODIMENTS 

For a better understanding of the present invention and to understand how 
10 the same may be brought into effect reference will now be made, by way of 
one example only, to the accompanying drawings, in which:- 

Figure 1 illustrates a computer system according to one embodiment of the 
present invention; 

15 

Figure 2 illustrates a computer system according to one embodiment of the 
present invention; 

Figure 3 illustrates a computer node according to one embodiment of the 
20 present invention; 

Figure 4 illustrates a user interface screen associated with one embodiment of 
the present invention; 

25 Figure 5 illustrates a user interface screen associated with one embodiment of 
the present invention; 

Figure 6 illustrates a user interface screen associated with one embodiment of 
the present invention; 

30 

Figure 7 illustrates a computer node according to one embodiment of the 
present invention; 
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Figure 8 illustrates a user interface screen associated with one embodiment of 
the present invention. 

5 DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS 

Figure 1 shows a first computer node 1 (which could be, for example, a single 
computer or a plurality of computers), connected to a second computer 2 
(which could also be, for example, a single computer or a plurality of 

10 computers), via the internet 3. Both computer 1 and computer 2 have 

associated displays and keyboards, not shown. Also connected to the internet 
are certificate authorities, for example online certificate status protocol 
responder 4 OCSP, certificate verification server protocol responder 5 CVSP, 
certificate authorities CA 6 and attribute authorities 7 AA (for a description of 

1 5 these authorities see the internet engineering task force website 
www.ietf.org). 

Computer 1 is arranged to support, typically, business or private users 
requiring services from a service provider on the internet 3, and as such 

20 includes a network protocol stack 8 including an internet browser 9 for 
browsing the internet, as is well known to a person skilled in the art. In 
addition to the browser 9 the protocol stack includes a 'browser plug in' 10 for 
handling trust related processes such as helping a user to explicitly manage 
the trustworthiness of digital credentials and pushing and pulling digital 

25 credentials during active internet sessions, as described below. 

Computer 2 is arranged to support a service provider, typically an enterprise, 
for the provision of services to a client via the internet 3. Computer 2 
incorporates a webserver 1 1 for providing web access to computer 2 for web 
30 clients, for example computer 1 , as is well known to a person skilled in the art. 
In addition to a network protocol stack 12, computer 2 also includes a digital 
credential management system 13 for handling trust related processes, such 
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as the management of large numbers of heterogeneous credentials in real 
time, as described below. 

As computer 1 is arranged to support a user requiring a service, to aid clarity 
5 computer 1 will also, in this description, be referred to as user 1 to identify the 
user, which could be a human operator or a software/hardware agent, of 
computer 1 . 

As computer 2 is arranged to support an enterprise providing an internet 
10 service, to aid clarity computer 2 will also, in this description, be referred to as 
enterprise 2 to identify the enterprise which could be a human operator or a 
software/hardware agent, of computer 2. 

To enhance the level of security between a service provider using computer 2 
15 and a web client using computer 1 a secure connection, for example a secure 
socket layer SSL connection, (i.e. a session) is established between computer 
1 and the webserver 1 1 incorporated in computer 2, as is well known to a 
person skilled in the art. The SSL allows the authentication of users by the 
mutual transfer of digital identity certificates, the identity certificates being 
20 signed by a trusted third party such as a certificate authority CA 6, as is well 
known to a person skilled in the art. Once the users have been authenticated 
private keys are exchanged to allow encryption of data exchanged between 
the users. 

25 To allow further analyses and managing, by the enterprise 2, of digital 

credentials (e.g. identity certificates, attribute credentials) associated with a 
session digital credentials are passed to a digital credential management 
system 14 at the enterprise side of the secure connection (i.e. computer 2). 

30 The digital credential management system 14 is able to provide a full range of 
validation checks on the received digital credentials associated with a session 
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according to a trust policy that is defined for the enterprise 2, for example by a 
computer administrator. 

The validation checking of digital identity certificates associated with a session 
5 for the purposes of providing a service is defined as the user login phase. For 
this purpose the digital credential management system 14 incorporates a login 
service module, as shown in figure 2, that interacts with a session manager 
module to create a new session object that is associated with a secure 
session, for its whole lifetime. The session object associates extra users' 
10 information to their session, for example bank statements associated to a 
user. 



The login service module 16 retrieves the user's identity certificate from the 
web server 1 1 (used to establish the SSL session) and sends the certificate to 
1 5 a credential validation server module 1 7 for validation and trust management 
purposes. 



The credentials validation server module 17 executes a two-phase control on 
the digital credential. First it performs "classic" verification tasks, like integrity 

20 and validation path checks. It interacts with external entities such as CA, 
OCSP and CVSP to check if the credential is still valid. OCSP and CVSP 
responders perform basic validation tasks on-line. Second, the module 17 
determines the trustworthiness of the credential against explicit enterprise 
policies, for example checking explicit constraints on the validation path, on 

25 the issuer of the credentials, on the context in which the credential has been 
send. 



Validation policies can be defined by an administrator and evaluated by an 
authorization server module 18, incorporated in the digital credential 
30 management system 14, thereby allowing the second task to be performed at 
runtime. 
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The authorization server module 18 interprets authorization and validation 
policies on the fly. Policies are loaded when the authorisation server module 
18 starts up, along with the relevant models (service model, credential 
models, etc.)- At any time policies and models can be modified and reloaded 
5 by the authorization server module 18 without service disruption. This 
provides a high degree of freedom and flexibility to the administrator when 
dealing with trust management issues related to digital credentials. 

If the digital credential under verification does not satisfy enterprise trust and 
10 validation policies, the credential is rejected and an error message is sent 
back to the user. If the digital credential satisfies enterprise policies, then it is 
passed to a credential content management module 19 where the digital 
credential is abstracted and its content analysed and managed according to 
enterprise policies. The credential validation server module manages the 
1 5 interaction with the credential content manager module 19. 

The digital credential content management module receives digital credentials 
from the credential validation server module 17 to perform further trust 
analysis on the credential content. 

20 

The credential content management module 19 abstracts a digital credential 
according to an abstraction model to remove the credentials dependency on 
its low-level format. This allows the abstracted credentials to be seen as a 
collection of attributes by the other validation and authorization framework 
25 components, independently of their original representations. 

The credential content management module 19 also manages the content of 
a digital credential according to trust and credential content management 
policies defined by the enterprise 2. These policies define which credential 
30 components (attributes) need to be trusted, depending on their values, their 
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issuers, the presence of other credentials, etc. The evaluation of these 
policies is delegated to the authorization server 18. 

Every type of digital credential (identity, attribute and anonymous credential) is 
5 subject to this process. 

Once the digital credential has been abstracted and its content processed, the 
abstracted credential is returned to the credential validation server module 17. 

10 The credential validation server module 17 is interfaced to a user context 
manager module 20, where the credential validation server module 17 
forwards the abstracted digital credentials to the user context manager 
module 20. The user context manager module 20 stores the abstracted digital 
credentials into a user context area 21 associated with a user's session. 

15 

A user context area 21 contains all the relevant information known about a 
user during an active web session, for example user profile, roles and digital 
credentials. 

20 The user context manager module 20 manages the user context areas 21 and 
their associations to users' sessions, for the entire lifetime of these sessions. 

The user context manager module 20 provides a set of application program 
interface's API to access the content of a specific user context area 21 at 
25 different levels of abstraction. It allows the retrieval of attributes independently 
from their source (for example user profile, role and digital credential). In such 
a case it attaches to them metadata like their scope, qualifiers to allow 
analysis and evaluation by the authorisation server module 18. 

30 When a new user context area 21 is created, the user context manager 
module 20 retrieves from a database (not shown) of the enterprise 2 (service 
provider) relevant user information, like their profile and their roles and stores 
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it in this user context. The stored information may have been obtained during 
previous transactions. 

Each time the credential content management service module 19 successfully 
5 abstracts a user's credential, this credential is sent to the user context 
manager module 20 and stored in a user context area 21 . 

The user context manager module interacts with an object pool manager 
module 22 to dynamically manage the content of a user context. 

10 

Dynamic content management is useful as a particular role or a user profile 
could be valid just for a predefined period of time. Additionally a security 
administrator can modify the content of user profiles and roles at run time or 
during a user's session. Further, new digital credentials could be added to a 
15 user context area 21 during a user session and digital credentials could be 
disabled/removed from a user context area 21 during a user session. 

The ability to deal with these dynamic changes is important for the provision 
of real time authorization and access control service. The object pool 
20 manager module 22 is in charge of dynamically updating the content of user 
contexts each time one of the above events occurs. 

The user context manager module 20 supplies to a digital credentials usage 
monitoring service module 23 updated sets of active credentials (i.e. 
25 credentials that are currently used and enabled in a user context area and 
digital credential usage monitoring service monitoring 23 executes the request 
of enabling/disabling credentials depending on trust and business 
management decisions. 

30 The authorization server module 18 accesses a content of user contexts area 
21 whilst evaluating policies. Policies may contain explicit constraints that 
need to be evaluated against the content of a user context area 21 . 
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A user context gateway 24 manages the interaction between the user context 
manager module 20 and the digital credentials usage monitoring service 
module 23. It provides a high-level application program interface API that can 
5 be used to access both user context manager module 20 and digital 
credentials usage monitoring service module 23 functionalities. 

The user context gateway 24 acts as a gateway in the following cases; (i) 
when the user context manager module 20 sends to the digital credentials 
10 usage monitoring service module 23 an updated list of the digital credentials 
involved in active users' sessions; and (ii) when the digital credentials usage 
monitoring service module 23 asks the user context manager module 30 to 
enable/disable digital credentials, depending on trust and business 
management decisions. 

15 

Once user 1 has established a secure connection with enterprise 2 and has 
successfully completed the login phase and had their digital credentials 
validated by the enterprise 2, as described above, the enterprise 2 can 
provide a requested service over the secure session. Alternatively, before the 
20 service is provided the enterprise 2 may request the user to provide (push) 
further digital credentials (e.g. attribute credentials) in order to allow 
authorization to access services (i.e. to ensure that the enterprise has 
sufficient trust in the user). 

25 User 1 can push an attribute credential to the enterprise 2 by using the 
browser plug-in 10, as described below. The browser plug-in 10 wraps a 
credential in a extended mark-up language XML message, contacts a 
credential proxy module 25 associated with the digital credential management 
system 14 in the enterprise/computer 2 and sends the message to the proxy 

30 module 25 over the secure connection. 



30007315 US 

13 

The enterprise credential proxy module 25 is in charge of managing the push 
and pull process of attribute credentials. 

During the push phase, the enterprise credential proxy module 25 extracts the 
5 attribute credential from the XML message and sends it to the enterprise 
credential validation server module 17 to be validated. 

If the attribute credential is valid, it is sent to the credential content 
management service module 19 that abstracts it and sends it to the user 
10 context manager module 20. 

The user context manager module 20 stores the digital credential in a user 
context area 21 associated with a relevant secure session and sends a copy 
of the credential to the credentials usage monitoring service module 23 to 
1 5 enable a real time monitoring of this credential. 

User 1 can invoke the process of pushing a digital credential to the enterprise 
2 at any time (and more than once) during an active user's session with the 
enterprise 2. 

20 

In addition the user 1 might want to obtain more information about an 
enterprise 2, before trusting its services and exposing their digital credentials 
to it. The user 1 may request the enterprise 2 to send them verifiable 
enterprise credentials containing trusted information (issued by a trusted third 
25 parties), about the way the enterprise operates, the quality of its services, 
references, etc. 

Further, the enterprise 2 (or an entity on its behalf) can issue and send new 
digital credentials to user 1, which will be owned by the user. For example, 
30 where a bank sends digital statements to users containing information about 
their accounts. These user's credentials can enable further business 
transactions with other enterprises. 
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To request a digital credential (i.e. pull) from enterprise 2, user 1 sends a XML 
message to the enterprise 2 to request digital credentials. This message could 
contain a request to obtain enterprise's credentials or to collect new user's 
5 credentials. The request process can be very simple low level communication 
and request mechanisms can be made transparent to the user. The 
messages are sent via the associated secure connection. 

The enterprise credential proxy module 25 intercepts the user's request 
10 message and interprets it. If the request is valid, the proxy module 25 
interacts with a credential issuer/pusher module 26. 

The credential issuer/pusher module 26 is responsible for sending the 
enterprise's credentials to user 1 over the secure session, after verifying if the 
15 user 1 is entitled to receive the credentials. In order to do this, it interacts with 
the authorization server module 18 to evaluate proper polices based on the 
content of the current user context area 21. The enterprise credentials are 
sent to the credential proxy module 25, which wraps the credentials in another 
XML message and sends the message to the user 1 . 

20 

In addition the credential issuer/pusher module 26 also sends new user's 
credentials to user 1 over a secure session. This allows new credentials to be 
issued to user 1 in real time. The issuer of these credentials can be the 
module 26 itself or an external attribute authority. New digital credentials can 
25 be associated to the current user's identity or they can be anonymous. The 
module 26 verifies if the remote user is entitled to receive the new credentials. 
These new digital credentials are sent to the credential proxy module 25, 
which wraps the message in a XML message and sends it to the user over the 
secure connection. 

30 
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The process of pulling digital credentials from enterprise 2 can happen at any 
time and more that once during an active user's session with the enterprise 2. 

The process of exchanging credentials over a secure connection, as 
5 described above, can be used to establish trust or to increase the level of trust 
between two parties during business interactions. This enhances the process 
of providing services over the internet with customers that you have had no 
previous business relationship. 

10 This embodiment allows authorization policies to be associated to a service 
where the policies can be defined in a service model. If the authorization 
polices are defined in a service model the authorization server module 18 
loads the service model at start time (i.e. when authorization server module 
18 is 'booted up'). Should the policies in the service model be modified, the 

15 authorization server module 18 can reload them at any time, without any 
service disruption. 

In this embodiment, authorization is driven by policies. Depending on the 
service and the service functions a user wants to access, the authorization 
20 server module 18 is able to retrieve the correct set of authorization policies 
and evaluate them. 

Different policy evaluation strategies can apply, so for example, if at least one 
relevant policy is satisfied, the authorization is granted and the service is 
25 provided. 

Whilst making authorization decisions, the authorization server module 18 can 
access a broad range of information. For example, service function 
information; service parameters; system information, like time, date, external 
30 access control information; and the content of the user context area 21 
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associated to the user in the current session: user profile, user's roles, user's 
digital credentials. 

As stated above the management of digital credential on the user side is 
5 based on a browser plug-in 10 able to exchange credentials with enterprise 2 
by using an XML based protocol. XML is used because ease and simplicity of 
use, however other languages may be used, for example HTML. 

As shown in figure 3 the browser plug-in 10 includes a XML-based protocol 
10 handler module 28, a sender/importer modules 29,30, a cache 31, a loader 
module32, credential storage 33, a graphical user interface module 34 and 
pluggable modules 35. 

The XML-based protocol handler module 28 manages incoming and out 
15 coming XML messages. It implements an interpreter of the XML protocol to 
deal with the push and pulling of messages. 

The protocol consists of three XML messages, an INIT, a PUSH and PULL 
message. 

20 

The INIT message is a message containing initialisation information for the 
browser plug-in and includes the URL of the credential proxy module 25; and 
filtering information on digital credentials that can be sent by enterprise 2 to 
the user 1 (based, for example, on the credential issuer and signer). 

25 

The PUSH message contains one or more digital credentials sent by the user 
1 to the enterprise. 

The PULL message contains one or more digital credentials sent by the 
30 enterprise 2 to the user 1 . 
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As the XML messages are exchanged on a secure connection (based on 
SSL) the messages do not need to be signed. 



The sender/import modules 29, 30 are in charge of dealing with the process 
5 of pushing and pulling digital credentials. 



The import module 30 extracts and manages digital credentials that have 
been sent to the user 1 by enterprise 2. In particular it manages attribute 
credentials pushed by the enterprise 2. These credentials could belong to the 

10 enterprise 2 (to increase the level of trust) or to the user 1 (new attribute 
credentials associated to the user). The import module 30 is able to 
discriminate between the above two cases and associate credentials to the 
right owner. The import module 30 interacts with external pluggable modules 
35 (described below) to verify the trustworthiness of digital credentials and 

15 store them. The import module 30 is driven by the graphical user interface 
module 34. 



The sender module 29 deals with digital credentials that have been sent by 
the user 1 to enterprise 2. It verifies if the selected attribute credentials can be 
20 pushed to the enterprise 2 by analysing the current context (e.g. user's 
identity certificate, association of attribute credentials to this identity, etc.) The 
sender module 29 creates the XML messages that are going to be pushed to 
the enterprise 2. The sender module 29 is driven by the graphical user 
interface module 34. 

25 

The cache 31 is a volatile cache to store digital credentials involved in web 
sessions. These credentials may belong to the user 1 or the enterprise 2. Part 
of the cache memory is used to store the set of trusted CA roots (used for 
trust verification) retrieved from the credential storage 33. 

30 
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The loader module 32 loads X.509 identity certificates from the credential 
storage 33, which includes trusted root CA certificates. These certificates are 
used for credential validation purposes. 

5 The pluggable modules 35 are external to the browser plug-in 10. They 
provide core functionalities in term of credential management, for example 
validation, verification, storage. These modules 35 are plugged-in in the 
browser plug-in 10. This approach provides freedom to use proper and ad-hoc 
validation and storage solutions. User can implement their own ad-hoc 
1 0 validation and storage modules according to their requirements. 

The credential storage 33 is a secure storage for attribute credentials. While 
identity certificates (X.509 based) are stored in the credential storage 33, 
digital signed XML attribute credentials are explicitly stored and secured in a 
1 5 separate database. 

The graphical user interface module 34 is arranged to allow the credential 
information to be displayed on the display (not shown) and for user 1 to 
manage the secure sessions, thereby allowing the overall user experience to 
20 be simplified when dealing with digital credentials and associated 
management of trust. 

The graphical user interface module 34 can arrange the whole set of digital 
credentials exchanged and involved in an active web session between a user 
25 1 and a enterprise 2 to be displayed. For example, identity certificates and 
attribute credentials pushed by the user 1 to the enterprise 2; and identity 
certificates and attribute credentials owned by the enterprise 2 and pushed by 
enterprise 2 to the user 1 . 

30 The graphical user interface module 34 can be configured to automatically 
notified user 1 when a new digital credential has been sent to user 1. The 
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user 1 can accept or reject a credential after the trust verification and 
validation processes (automatically executed by the system). 

During a web session, the graphical user interface module 34 manages and 
5 checks the associations between attribute certificates and the legitimate 
identity certificates. In particular, this control is performed on incoming digital 
credentials. The graphical user interface module 34 automatically rejects 
attribute credentials that are not trusted or do not relate to any of the identity 
certificates used in the current session. 

10 

The graphical user interface module 34 dynamically manages the portfolio of 
active user's credentials. The graphical user interface module 34 can be 
configured to just present to the user 1 the list of attribute certificates the user 
1 is entitled to push to the enterprise 2 (set of attribute certificates associated 
15 to the current identity). 

Pushing a credential to the enterprise 2, from the users perspective, can 
simply be the dragging and dropping of an attribute credential in a session 
box (i.e. the graphic box on the display that represents the secure 
20 connection). 

Figures 4 illustrates an example of a possible user interface screen. The top 
left panel of the user interface screen, shown in figure 4, displays the updated 
set of digital credentials that have been exchanged during an active session 
25 both by the user 1 and the enterprise 2. This panel contains a reference to the 
identity certificate used by the user 1 to establish the SSL connection and any 
attribute credentials that may have been transferred over the SSL connection. 

The bottom left panel of the user interface screen, shown in figure 4, provides 
30 information about user's credentials. In particular it displays only the attribute 
credentials that are associated to the current identity certificate. 
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The user can exchange any of their credentials by selecting the appropriate 
credential and drag and dropping it in the "Session" panel. 

Figure 5 shows a view of the user interface screen after the user has pushed 
5 a citizenship credential. 

The user interface panels can display both user's credentials and the 
credentials exchanged by with enterprise 2. 

10 Figure 6 shows a user interface screen displaying the contents of an attribute 
credential provided by a market maker to the user. The attributes contained in 
the credential can be relevant to increase the perception of trust. For 
example, the attribute credential shown in figure 6 shows that the market 
maker is compliant with the security and audit requirements: 

15 

A user can administer at any time its current portfolio of digital credentials, 
even when they are no active sessions. 

The corresponding module on the enterprise 2 for handling the XML-based 
20 messages during an active secure session is the credential proxy server 
module 25. 

As described above the credential proxy server module 25 receives messages 
containing digital credentials sent by the user to the enterprise 2. It extracts 
25 these credentials from the XML message and sends the credentials to the 
validation server module 17, which validates the certificates and adds them to 
the appropriate user context area 21 . 

Digital credentials to be sent by the enterprise 2 to user 1 are forwarded to the 
30 credential proxy server module 25. The credential proxy server module 25 
wraps the digital credentials in a XML message and sends the message to the 
user's browser plug-in 10 when required over the secure session. 
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To provide real time status of a digital credential the credential usage 
monitoring service module 23 implements a real time monitoring system for 
digital credentials presented by user 1 to enterprise 2, during an active web 
5 sessions, as described below. 

This credential usage monitoring service module 23 is able to deal with real 
time, session-based credential validation and aggregation. The module 23 
can provide different views on set of credentials to a security administrator 
1 0 and tools for validating credential trustworthiness against enterprise policies. 

In addition the credential usage monitoring service module 23 can retrieve 
active digital credentials from the user context manager module 20 and 
aggregates them according to views required by the security administrator. 

15 

Examples of views supported by the credential usage monitoring service 
module 23 are; aggregation of attribute credentials and identity certificates in 
the context of a web session (between user 1 and the enterprise 2); 
aggregation of attribute credentials and identity credentials depending on the 
20 presence of specific attributes. For example credentials can be aggregated 
depending on the name of the company the owner of a credential works for or 
the name of a particular attribute (Credit Limit, Citizenship, etc.). 

Further the credential usage monitoring service module 23 can provide a 
25 dynamic control over the usage of digital credentials at the service level. 

For example an administrator can verify the validity of digital credentials using 
the credential usage monitoring service module 23 to interact with the 
validation service module 17 (driven by policies) or external validation 
30 mechanisms. Also an administrator can enable or disable users' credentials in 
real time. The credential usage monitoring service module 23 can interact with 
the user context manager module 20 to update its content. 
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As shown in figure 7, the credential usage monitoring service manager 23 
includes an object manager module 36, a session cache manager module 37, 
a data model module 38, an aggregation module 39, a credential usage 
5 control module 40 and a graphical user interface module 41 . 

The object manager module 36 acts as a proxy between the user context 
gateway module 24 and the session cache manager module 37. The object 
manager module 36 retrieves credentials contained in active user contexts 
10 areas 21 and the list of active users' sessions. The module 36 then provides 
this information to the session cache manager module 37. Should the status 
of a credential change, the module will communicate this change to the user 
context manager 20. 

15 The session cache manager module 37 caches information about the current 
set of active sessions and their associations to digital credentials. The session 
cache manager module 37 provides the cached data to the data model 
module 38. 

20 The data model module 38 contains information relating to how to interpret 
the content of digital credentials associated to sessions and how to represent 
them graphically. 

The aggregation module 39 implements functions to aggregate digital 
25 credentials depending on administrator's queries and selection criteria. These 
criteria could involve the content of digital credentials, value of particular 
attributes, association constraints, etc. 

The credential usage control module 40 controls the validity and 
30 trustworthiness of digital credentials associated to active sessions whilst they 
are used to access services. The control is driven by enterprise policies. The 
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credential usage control module 40 retrieves the set of credentials and 
sessions to be controlled from the aggregation module 39. 

The most common controls performed on credentials include, checking the 
5 validity of credentials, verifying their trustworthiness against enterprise 
policies, verifying the validity of associations of attributes credentials with 
identity certificates. 

The credential usage control module 40 can execute these controls in a 
10 programmable way. The controls can be scheduled and done periodically, 
each time a new credential is added or driven by administrator's initiatives. 

The credential usage control module 40 notifies the object manager module 
36 of any change of digital credential statuses. 

15 

An administrator can access the functionalities of the credential usage control 
module 40 by using a user interface associated with enterprise 2 via the 
graphical user interface 41. 

20 The graphical user interface module 41 implements the graphical routines, 
which are accessible to an administrator by the user interface. 

The graphical user interface module 41 generates user interface screens for 
display on a display (not shown), 

25 

The user interface screens simplifies the overall interaction of an administrator 
with the credential usage monitoring service module 23 by providing an 
abstract graphical representation of digital credentials and relationships 
among them. 

30 
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The user interface screens display aggregations and views on digital 
credentials in an intuitive way and allows the administrator to easily access 
tools to manage the validity and trustworthiness of digital credentials. 

5 The user interface screens can provides a list of all the active user contexts 
areas associated to user web sessions. The list can be updated dynamically, 
in real time. 

An administrator can select or look for a set of credentials and execute 
10 operation on it (enable, disable and verification). 

Figures 8 illustrate an example of a possible user interface screen. The top 
panel of the user interface screen, shown in figure 9, contains information 
about the current set of active contexts (active context list), each of them 
15 associated to an active user session. As the enterprise 2 is able to establish a 
plurality of secure connections with different users, at the same time, the 
interface screen is arranged to display each active user session. 

Each row shown in the top panel of figure 8 is an abstraction of an active user 
20 context and it contains references to the associated identity and attribute 
credentials. The contents of this display are updated in real time each time 
new users log in, exit their connections or push new credentials. 

The user interface allows an administrator to select rows or a sub set of them 
25 and apply search criteria. The user interface can be used to define search 
and grouping criteria for credentials. 

The user interface can allow the administrator to directly intervene on 
credentials and change their status in real time. 

30 



